Setup

To set up Authenticated Origin Pulls - which help ensure requests to your origin server come from the Cloudflare network - choose whether to enable them on all hostnames in your zone or on a per-hostname basis.

Caution

It is not possible to set up per-hostname authenticated origin pulls with the Cloudflare certificate.

---

Other situations

Use specialized certificates

To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.

First set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames.

Note

Since per-hostname certificates are more specific, they take precedence over zone certificates.

Delete a certificate

Client certificates are not deleted from Cloudflare upon expiration unless a delete or replace request is sent to the Cloudflare API.

However, requests are dropped at your origin if your origin only accepts a valid client certificate.

Replace a client cert (without downtime)

For hostname:

1. Upload the new certificate.

2. Enable Authenticated Origin Pulls for that specific hostname.

For global:

1. Upload the new certificate.

2. Check whether new certificate is Active.

3. Once certificate is active, delete the previous certificate.